The broker process is at the heart of the exploit as it uses a memory page allocated via VirtualAllocEx to store the overwritten code of system calls which have been redirected to the broker, said Guillaume Delugré, a researcher at Sogeti ESEC Lab. Despite having ASLR, however, the memory address returned by VirtualAllocEx does not undergo randomization. This means the Windows system function call will end up in a predictable, “nearly constant” location which the exploit can then access directly.

In a blog post, Delugré goes on to further detail, providing an account of the rest of the exploit’s path up to the execution of the code, which inject in via a specially crafted PDF file. The author also provides some proof-of-concept code and various scripts that helped him assemble the exploit.